Security Header Adoption — Which Headers Sites Actually Use
Analysis of HTTP security header adoption rates across the web. Real data on CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy implementation with best practices.
By Michael Lip · Updated April 2026
Methodology
Adoption rates are compiled from the HTTP Archive Web Almanac (2024 edition), Mozilla Observatory aggregate scan data, and securityheaders.com crawler results covering the Tranco top 1 million sites. Developer discussion data was fetched from the Stack Overflow API on April 10, 2026 using the /2.3/search endpoint with the query intitle:security+headers. SO question counts represent tagged questions across all frameworks.
| Header | Adoption Rate | Year Introduced | Protects Against | Difficulty | Recommended Value |
|---|---|---|---|---|---|
| X-Content-Type-Options | 52.1% | 2008 | MIME-type sniffing attacks | Easy | nosniff |
| X-Frame-Options | 37.4% | 2009 | Clickjacking | Easy | DENY or SAMEORIGIN |
| Strict-Transport-Security | 32.8% | 2012 | Protocol downgrade, cookie hijacking | Easy | max-age=31536000; includeSubDomains; preload |
| Referrer-Policy | 24.5% | 2017 | Information leakage via referer header | Easy | strict-origin-when-cross-origin |
| Content-Security-Policy | 18.6% | 2012 | XSS, data injection, clickjacking | Hard | default-src 'self'; script-src 'self' |
| X-XSS-Protection | 28.3% | 2010 | Reflected XSS (deprecated) | Easy | 0 (disabled — superseded by CSP) |
| Cross-Origin-Opener-Policy | 8.7% | 2020 | Cross-origin attacks, Spectre-class leaks | Medium | same-origin |
| Cross-Origin-Embedder-Policy | 5.4% | 2020 | Cross-origin resource leaks | Medium | require-corp |
| Cross-Origin-Resource-Policy | 6.1% | 2020 | Spectre-class side-channel attacks | Medium | same-origin |
| Permissions-Policy | 4.2% | 2021 | Unauthorized feature access (camera, mic, geolocation) | Medium | camera=(), microphone=(), geolocation=() |
Developer Discussions — Real Stack Overflow Questions
Top-voted security header questions from the Stack Overflow API showing real implementation challenges developers face.
| Question | Framework | Votes | Views |
|---|---|---|---|
| Disabling Spring Security headers does not work | Spring | 19 | 15,586 |
| Configure Spring Security headers() by route | Spring | 10 | 1,793 |
| Add security headers to help protection from injection attacks in C# ASP.NET | ASP.NET | 6 | 27,980 |
| How to add HTTP security headers? | PHP/Apache | 6 | 14,886 |
| How to add security headers to firebase hosted application | Firebase | 6 | 4,722 |
| Adding security headers in response using spring security | Spring | 5 | 16,058 |
| Docusaurus v2 set security headers | Docusaurus | 4 | 1,098 |
| .NET Core security headers middleware not adding headers | .NET Core | 3 | 1,780 |
| Security Headers in .htaccess Not Working in EasyApache4 | Apache | 3 | 2,621 |
| Which is best practice to add security headers for Django? | Django | 3 | 2,808 |
| How to add HTTP security headers to Next.js app | Next.js | 3 | 7,303 |
| Adding Security Headers to ASP.NET Core 3.1 Web API | ASP.NET Core | 3 | 18,576 |
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are response headers that web servers send to browsers to enforce security policies. Key headers include Content-Security-Policy (CSP) to prevent XSS, Strict-Transport-Security (HSTS) to enforce HTTPS, X-Frame-Options to prevent clickjacking, and Permissions-Policy to control browser feature access. They form a critical defense layer that costs nothing to implement.
Which security header has the highest adoption rate?
X-Content-Type-Options has the highest adoption rate at approximately 52.1% of websites, followed by X-Frame-Options at 37.4% and Strict-Transport-Security (HSTS) at 32.8%. Content-Security-Policy, despite being the most powerful header, has only 18.6% adoption due to its complexity. The newer Permissions-Policy header trails at 4.2%.
Why is Content-Security-Policy adoption so low?
CSP adoption is low because it is complex to configure correctly. A strict CSP can break inline scripts, third-party widgets, and analytics tools. Many sites use report-only mode first, which does not count as enforcement. The header requires listing every allowed script source, which is tedious for sites with many third-party integrations.
What is the minimum set of security headers every site should have?
Every website should implement at minimum: Strict-Transport-Security (max-age=31536000; includeSubDomains), X-Content-Type-Options: nosniff, X-Frame-Options: DENY (or SAMEORIGIN), Referrer-Policy: strict-origin-when-cross-origin, and a basic Content-Security-Policy. This five-header baseline blocks the most common client-side attacks and takes minutes to configure.
Where does this security header data come from?
Adoption rates are compiled from the HTTP Archive Web Almanac reports, Mozilla Observatory scans, and Scott Helme's securityheaders.com crawler data. Stack Overflow question data was fetched via the public API on April 10, 2026, showing 20 top-voted questions about security header implementation across various frameworks and platforms.